ipfw firewalling for bhyve host, bypassing bhyve guests

From: void <void_at_f-m.fm>
Date: Sun, 15 Oct 2023 14:13:59 UTC
Hello,

My objective is to protect services on a bhyve host, while allowing traffic 
to the bhyve guests to pass to them unprocessed, as these each have pf and 
their own firewall policies. The host running an up-to-date 13-stable.

I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes 
layer 3 so that is why i want to use ipfw on the bhyve host.

So we have bridge0 with igb0 tap0 and tap1 as members.
In this example, igb0 has a mac address of 11:11:11:11:11:11
tap0 has 22:22:22:22:22:22
tap1 has 33:33:33:33:33:33

How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply 
no more rules to frames matching those MACs?

Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 
apart from 10.0.0.0/24

22:22:22:22:22:22 passing unhindered, unprocessed.

Possible?

--